The Australian Law Reform Commission has suggested individuals be given the power to compel organisations to delete or de-identify information held about them.
As signalled by iTnews last week, the ALRC handed down a set of 47 proposals this morning for how privacy protections could be strengthened in Australia.
One proposal involved the addition of a new Australian Privacy Principle (APP) to the recently reformed Privacy Act.
The new law would give individuals the power to have their identities and details effectively erased from the databases of entities that have collected information about them legitimately.
Entities would also need to offer a “simple mechanism” for users to make the erasure requests, the ALRC said.
Under the proposed changes, APP entities (organisations with a turnover of more than $3 million per annum) would need to demonstrate that they took “reasonable steps” to meet the request within a “reasonable time”, to avoid fines of up to $1.7 million.
“Ensuring that individuals have a means to rapidly remove such information is one way to reduce the availability of private information,” the Commission said.
The ALRC said the proposal would strengthen the current list of APPs which include “similar, but weaker, requirements”.
The amended Privacy Act, which took effect earlier this month, gives individuals the right to access information held about them, to ask for it to be corrected, and makes provisions for the destruction of information once the purpose it was originally collected for has expired.
But the ALRC made clear it did not endorse the adoption of a “right to be forgotten” of the type currently being considered by the European Union.
Unlike the EU proposal, the ALRC's suggested changes are strictly limited to information that has been provided by the requester themselves.
It would not give individuals any scope to demand that information posted online or provided by a third party be removed, meaning that posts about an individual – but not made by them – would not become subject to erasure requests.
The ALRC has also invited feedback on whether or not a regulator, such as the Office of the Australian Privacy Commissioner (OAIC) or the Australian Communications and Media Authority (ACMA), should be able to enact take-down notices on an aggrieved individual’s behalf.
But it steered clear of taking a stance on such an approach, acknowledging there was a risk that "such a system may have an undesirably chilling effect on online freedom of expression”, despite having merit in some circumstances, it said.
The ALRC put forward a model whereby three conditions would have to be met before a regulator took action: it must have received a complaint from an individual; the individual must have already made a failed request to the website etc. to have the content removed; and the content must been deemed by the regulator to constitute a serious invasion of privacy.
The ALRC is inviting feedback on its discussion paper until 12 May 2014, before it submits its final advice to Government before the end of June.